L2TP VPN clients access to LAN

RouterOS General
1

Hi all,

I’m struggling to give L2TP VPN clients access to LAN devices, also I can see that when connected to VPN I’m not getting VPN server external IP address. I have connected this “problematic” router with other mikrotik router using GRE tunnel everything works just fine, I can access both sites LAN devices, but not when connected via L2TP. What tried already:
[] set bridge to proxy-arp - no luck
[] change vpn user local adress to LAN DHCP range - no luck
[] set some firewall forward rules to allow VPN subnet to access LAN subnet - no luck
[] disable all FW rules - no luck
[*] set some firewall & NAT rules to log traffic - no records in logs

VPN itself works, computer says that VPN is connected but seems like I have connected to black hole :slight_smile: You may see IP 192.168.10.225 in FW rules - that’s device I’m pinging from my PC and trying to reach from VPN. IPs 192.168.10.99 and 192.168.99.99 is my VPN user Local and Remote IPs (just been trying different combinations and assingements of those two) Any help appreciated. Adding my configuration.

# jul/22/2024 12:46:06 by RouterOS 6.49.10
# software id = R3YP-2C77
#
# model = RB3011UiAS
# serial number = HFJ09E9D9NK
/interface bridge
add admin-mac=78:9A:18:EB:5E:25 arp=proxy-arp auto-mac=no comment=defconf name=\
    bridge
/interface gre
add allow-fast-path=no local-address=****hidden**** name=Head-Office \
    remote-address=****hidden**** 
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
add name=vpn-ipsec ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=vpn-ipsec name=VPN remote-address=\
    vpn-ipsec
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=VPN enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=172.16.5.2/30 interface=Head-Office network=172.16.5.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.99 list=admins
add address=192.168.99.99 list=admins
/ip firewall filter
add action=log chain=forward dst-address=192.168.10.225
add action=accept chain=forward comment="accept in ipsec" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec" ipsec-policy=\
    out,ipsec
add action=accept chain=forward comment="Test OVPN filter rule" disabled=yes \
    in-interface=all-ppp out-interface=bridge
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
   ****hidden****
add action=accept chain=input disabled=yes in-interface=all-ppp log=yes
add action=accept chain=forward disabled=yes in-interface=all-ppp log=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: allow l2tp einantas network access internal" disabled=yes \
    in-interface=all-ppp in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
add action=log chain=dstnat dst-address=192.168.10.225
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.5.1
/lcd
set read-only-mode=yes
/ppp secret
add name=eimantas profile=VPN service=l2tp
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Under /ppp profile the local address needs to be 192.168.10.1
The remote takes an IP from the pool and you then have a network when it connects.

Think about what you are asking the router to when it connects with your current setting and go look at the ip route table when connected

3

Change srcnat rule for all-ppp to this, leave all other config as is
add action=masquerade chain=srcnat src-address=192.168.99.0/24

4 
/ip firewall filter add chain=forward src-address=192.168.10.0/24 dst-address=192.168.99.0/24 action=accept comment="Allow VPN to LAN"

You have a small mix in the firewall section. IP-sec policies are repeated for you twice. Try to assemble the Input chain at ''INPUT. Forward- at the forward chain. Rules policy is executed from top to bottom. The order also matters.
INPUT CHAIN ​​–> To the Router or to Router Services. Directional flow is WAN to Router, and LAN to Router.
FORWARD CHAIN ​​–> Through the Router. Direction flow is LAN to LAN, LAN to WAN, WAN to LAN.
OUTPUT CHAIN ​​–> From the Router. Directional flow is Router to WAN.

I would not recommend using the Winbox rule because it is not safe!
add action=accept chain=input dst-port=8291 protocol=tcp src-address=
hidden
If there is a need to access winbox, we use vpn.

5

Changed it like suggested - doesn’t work anyways. Only can ping my router IP. Also for me it doesn’t look like it’s really good idea to assign VPN user router IP.

This rule sadly wont help either.

Thanks for nice explanaition of FW rules meaning and ordering, fixed rules ordering, never actually thought it might cause troubles. Winbox rule for now is configured just because VPN is not working properly, it surely will be removed later on. BTW, VPN for mikrotik is input or FW rule? It’s treated like comming from WAN yes? Adding my new configuration for inspection.

/interface bridge
add admin-mac=78:9A:18:EB:5E:25 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface gre
add allow-fast-path=no local-address=hidden name=Head-Office \
    remote-address=hidden
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.10-192.168.10.254
add name=vpn-ipsec ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes local-address=dhcp name=VPN remote-address=vpn-ipsec
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=VPN enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.10.1/24 comment=defconf interface=bridge network=\
    192.168.10.0
add address=172.16.5.2/30 interface=Head-Office network=172.16.5.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.1 gateway=\
    192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.99 list=admins
add address=192.168.99.99 list=admins
/ip firewall filter
add action=accept chain=forward comment="Test OVPN filter rule" disabled=yes \
    in-interface=all-ppp out-interface=bridge
add action=accept chain=input dst-port=8291 protocol=tcp src-address=\
    hidden
add action=accept chain=input disabled=yes in-interface=all-ppp log=yes
add action=accept chain=forward disabled=yes in-interface=all-ppp log=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: allow l2tp einantas network access internal" disabled=yes \
    in-interface=all-ppp in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=log chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.99.0/24
add action=accept chain=forward comment="Allow VPN to LAN" dst-address=\
    192.168.10.0/24 log=yes src-address=192.168.99.0/24
add action=accept chain=forward comment="accept in ipsec" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="accept out ipsec" ipsec-policy=\
    out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=log chain=srcnat dst-address=192.168.10.225
add action=masquerade chain=srcnat log=yes src-address=192.168.99.0/24
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.5.1
/lcd
set read-only-mode=yes
/ppp secret
add local-address=192.168.10.1 name=eimantas profile=VPN remote-address=\
    192.168.99.99 service=l2tp
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
6

Do not mix Input chain with Forward. They are much easier to read and understand and later to troubleshoot issues related to the firewall if kept separate. ORDER WITHIN A CHAIN itself is critical!

/ip firewall filter
(Input chain )
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=1701,500,4500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "defconf: allow l2tp einantas network access internal" disabled=yes \
    in-interface=all-ppp in-interface-list=LAN
add action=accept chain=input disabled=yes in-interface=all-ppp log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN	
(Forward chain )
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=log chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.99.0/24	
add action=accept chain=forward comment="Test OVPN filter rule" disabled=yes \
    in-interface=all-ppp out-interface=bridge
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

DEFAULT (you use) - the DEFAULT config is setup on an ALLOW everything concept and an attempt to block traffic that has no need for access - mostly external traffic.
BETTER - Most mikrotik admins move to a different concept and that is BLOCK everything and allow only known needed traffic flows. This is accomplished by slightly modifying some default rules and then adding a drop rule at the end of the input and forward chains.
if interested, I can copy an example. What is happening with the vpn now? Getting to Lan resources?

7

Example of well made FW rules would be appreaciated :slight_smile:

Nope, so actually can’t ping anything from VPN… And as mentioned, in GRE tunnel everything works perfectly from both sides…

8

If you use this configuration method where “everything is blocked and only what you yourself allow” is allowed, then you may also need to make adjustments to the firewall configuration, open an additional rule for gre.
I would recommend you to try Wireguard. It works well and is not very complicated to configure.
Site-to-site configuration example-https://www.youtube.com/watch?v=uVag_e475zc

/ip firewall address-list
add address=192.168.88.0/24 list=Local-LAN
add address=192.168.88.230-192.168.88.250 list=VPN
/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="Drop Only in ICMP" in-interface-list=WAN \
    protocol=icmp src-address-list=!Local-LAN
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
9

Coul you help me to fix my L2TP first please?

10

Clients through L2tp will connection as remote Client or will it be L2tp-site-to-site tunnel mode?
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

11

Clients (mostly Windows clients) will connect to L2TP and should have access to few services inside local network

12

In order to have a guarantee, it is better to use the version where “everything is blocked and only what you yourself allow is allowed”.
If the device to which l2tp will be connected is “problematic”, then you can probably change the existing firewall configuration to the one I copied and everything should work. If the firewall rules are correctly defined, then there will be no problems with the traffic flow either. If the firewall has an incomprehensible mix, then the operation will also be unstable and there will be connection failures.
Of course we don’t forget:

  1. enable L2tp server, set ipsec password, define PPP profile and password, it is desirable to specify ``Profile’’ there =‘‘Interface-list’’=LAN
  2. create a profile, Identity, Peers in the IPsec section.
    In the Forward section, we use a rule that provides access form VPN to Local-LAN (already copied in the example)
    add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN
    As an additional help, examples of youtube videos can be useful. https://www.youtube.com/watch?v=XYtfAdgPDBU
/ip firewall address-list
add address=192.168.88.0/24 list=Local-LAN
add address=192.168.88.230-192.168.88.250 list=VPN

/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment="Drop Only in ICMP" in-interface-list=WAN \
    protocol=icmp src-address-list=!Local-LAN
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=Local-LAN
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
13
14
15
16
17

Oh my days… Long story short - it’s working and FW rules were just fine from beginning.

Longer version: I’m configuring this Mikrotik from other site (you saw the forward rule which allows winbox from external IP), so I connect from my PC (it’s important to mention that my PC is MacBook) to that site VPN (that’s also mikrotik) which works just fine for me and then from some local machine to mikrotik which VPN was not working and making changes. Couldn’t understand why it’s giving me so much headache, so today I took some Windows machine, configured new profile for it and it worked without any issues! Removed/disabled all rules added as suggested in this thread and it’s still working fine. Then I remembered that in macos there are some magic that needs to be done to make it work, so just went to settings → VPN → MyVPNProfile → Options → and enabled thick box which says “Send All Traffic Over VPN Connection” and vualia… So actually we were trying fix my OS issues using mikrotik firewall :slight_smile: Thank you all for help!
BTW I will make my firewall more strict as suggested, thanks once again.